Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Padding Oracle Attack with always 200 response
Posted by: p0deje
Date: April 21, 2011 03:07AM


I currently pentest ASP.NET application and trying to exploit Padding Oracle Attack. Those AFAIK are based on response code analysis, but both ScriptResource and WebResource axds of the system under test always response with 200 OK, even if cipher has been invalid. In this case, however, the content of the response is an empty string.

So, the question is if it's possible to use any of the axd as the oracle in this case? Maybe basing on response content difference.


Options: ReplyQuote
Re: Padding Oracle Attack with always 200 response
Posted by: thornmaker
Date: April 28, 2011 06:17AM

The web server response code has nothing to do with the attack; a web server doesn't even need to be involved. The distinguishing factor (as I recall) is being able to determine when you have an error due to a faulty decryption and an error due to incorrect padding. If you can distinguish between those two cases (via any means), you're in luck.

Options: ReplyQuote

Sorry, only registered users may post in this forum.